|
To access OAuth integration settings, in the Admin module, select Security | OAuth SSO.
Enable OAuth | If checked, authentication with an OAuth provider is enabled and Artifactory will display all OAuth providers configured. If not checked, authentication is by Artifactory user/password. | |
Auto Create Artifactory Users | If checked, Artifactory will create an Artifactory user account for any new user logging in to Artifactory for the first time. | |
Default Provider | Specifies the provider through which different clients (such as NPM, for example) should authenticate their login to gain access to Artifactory.
| |
When checked, users created after authenticating using OAuth, will be able to access their profile. This means they are able to generate their API Key and set their password for future use. |
For your OAuth settings to work, make sure you have your Custom URL Base configured. |
The list of providers defined in Artifactory is displayed in the Providers section.
To add a new provider, click "New". Artifactory displays a dialog letting you enter the provider details. These may vary slightly depending on the provider you are configuring.
The following table describes the settings required by each supported provider, and the corresponding values you should use (where available):
GitHub | Git Enterprise | Cloud Foundry UAA | OpenID | Description | ||
Enabled | ![]() | ![]() | ![]() | ![]() | ![]() | If checked, this OAuth provider is enabled and will appear in the login dialog. |
Provider Name | ![]() | ![]() | ![]() | ![]() | ![]() | A logical name for this provider. For example, "Google OAuth", "GitHub OAuth". This must be unique within Artifactory. |
Provider Type | ![]() | ![]() | ![]() | ![]() | ![]() | The provider type. Currently GitHub, Git Enterprise, Google, OpenID, and Cloud Foundry are supported. |
Provider ID | ![]() | ![]() | ![]() | ![]() | ![]() | The identity with which you identify your organization to the provider. This is provided by the OAuth provider when you set up your account with them. |
Secret | ![]() | ![]() | ![]() | ![]() | ![]() | The secret allocated to your organization by the provider. This is provided by the OAuth provider when you set up your account with them. |
Domain | ![]() | Specifies a domain filter which defines from which domains users may be authenticated. Normally, this will be your domain name. For example | ||||
Docker Login | ![]() | Support for Docker login | ||||
Npm Login | ![]() | Support for Npm login | ||||
Basic URL | https://github.com/ |
| The base URL of the Git server which should be used for authentication. | |||
Auth URL | https://github.com/login/oauth/authorize |
| https://accounts.google.com/o/oauth2/auth | | ![]() | The URL through which the provider redirects you to the authentication page. |
API URL | https://api.github.com/user | <Server Base URL>/api/v3/user | https://www.googleapis.com/oauth2/v1/userinfo | | ![]() | The URL through which Artifactory can get extra information that it not directly available via OAuth. |
Token URL | https://github.com/login/oauth/access_token | <Server Base URL>/login/oauth/access_token | https://www.googleapis.com/oauth2/v3/token |
| ![]() | The URL that Artifactory will go to to get a token to use the API. |
You may pass query params along with the Authorization URL. For example,
https://github.com/login/oauth/authorize?realm=Employees |
Multiple query params should be separated with an ampersand. For example,
https://github.com/login/oauth/authorize?realm=Employees?client_id=XXXXXXXXXXX&scope=openid%20profile%20email |
If you already have an account in Artifactory, in order to be able to login using any of your OAuth provider accounts, you need to bind your Artifactory account to the corresponding account.
To bind your account, go to your Profile page and enter your Artifactory password to unlock it.
Under OAuth User Binding, select Click to bind next to the OAuth provider you wish to bind to.
In order to use OAuth authentication, you need to set up an account with each OAuth provider you wish to use in order to get the various parameters (such as Provider ID and Secret) you will need to set up OAuth integration in Artifactory.
To set up your OAuth account on GitHub, execute the following steps:
Login to your GitHub account. Under your personal profile settings, select Applications and click the .
Click Register new application.
Set the Application name. For example, ArtifactoryAOL OAuth.
Set the Homepage Url. This is your Artifactory server host URL (https://<artifactory-server>/
).
For example, https://mycompany.jfrog.io/mycompany/
Set the Authorization Callback Url as follows:
For Artifactory on-prem installation: http://<server_host>/artifactory/api/oauth2/loginResponse
For example, http://mycompany.artifactory.com/artifactory/api/oauth2/loginResponse
https://<server_name>.jfrog.io/<server_name>/api/oauth2/loginResponse
https://mycompany.jfrog.io/mycompany/api/oauth2/loginResponse
Click Register application to generate your Client ID and Client Secret.
Make a note of these; you will need them to configure OAuth authentication through GitHub on Artifactory.
To set up your OAuth account on Google, execute the following steps:
Create a new project. For example, "Artifactory OAuth".
Once the project is created, in the left navigation bar, select APIs & auth | Credentials.
Select the OAuth consent screen tab and configure the consent screen end users will see when logging in with the Google credentials.
Back in the Credentials tab, Click Add Credential and select OAuth 2.0 client ID
Under Create client ID, select Web application.
Enter a Name and set the Authorized redirect URIs
For Artifactory on-prem: https://<server_host>/artifactory/api/oauth2/loginResponse
For Artifactory SaaS: https://<server_name>.jfrog.io/<server_name>/api/oauth2/loginResponse
OAuth authentication with Cloud Foundry UAA is supported from Artifactory version 4.2.1.
To setup your OAuth authentication with Cloud Foundry UAA, fill in the fields as needed.
To use secure OAuth with a valid certificate from a CA trusted by Java, all you need to do us use a secure OAuth URL in your settings.
If you want to use OAuth with a non-trusted (self-signed) certificate, please follow the steps described in Using a Self-Signed Certificate.
While OAuth provides access to Artifactory UI, it is also possible for OAuth users to generate an API key that can be used instead of a password for basic authentication or in a dedicated REST API header, this is very useful when working with different clients, e.g. docker, npm, maven, etc. or using Artifactory REST API.
In order to allow OAuth users access to an API key you will need to make sure that the "Auto Create Artifactory Users" and "Allow Created Users Access To Profile Page" check boxes are checked. This means that OAuth users are also saved in Artifactory database and can access their profile page in order to generate, retrieve and revoke their API key.
The OAuth protocol requires the client to give permission to a specific application. Artifactory will redirect the user to the configured application URL and one permission is granted user will be navigated back.
The limitation on this process when working in High Availability setup is that the user must return to the same node, otherwise the authentication process will fail, in order to achieve this a sticky session configuration should include the /artifactory/api/oauth2/
.
The example below shows NGINX configuration.
location ~ (/artifactory/webapp/|/artifactory/ui/|/artifactory/api/oauth2/) { proxy_http_version 1.1; proxy_pass http://<UPSTREAM_NAME>; proxy_intercept_errors on; proxy_pass_header Server; proxy_connect_timeout 75s; proxy_send_timeout 2400s; proxy_read_timeout 2400s; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Artifactory-Override-Base-Url $http_x_forwarded_proto://$host/artifactory; } |